The Hacker News — Cyber Security, Hacking, Technology News

So you love Minecraft? You might want to be very careful before downloading the cheats for the popular Minecraft game from Google Play Store.

Nearly 3 Million users have downloaded malicious Minecraft Android applications for their smartphone and tablets from the Google Play store, security researchers warned.

The security researchers from IT security firm ESET have uncovered as many as 33 fake "scareware" applications that have been uploaded to the Google Play store in the course of the past 9 months, masquerading as Minecraft cheats and tip guides.

These malicious applications have been downloaded between 660,000 and 2.8 million times.

"All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a dangerous virus," ESET researcher Lukas Stefanko wrote in a blog post.

Once downloaded, these malicious applications show banners designed to trick victims into believing that a dangerous virus has infected their Android smartphone devices.

The pop-up alert message also gives victims an option to remove the virus from their device, thereby activating premium-rate SMS subscription that would cost them around €4.80 (£3.40) per week - around £177 per year.

Stefanko says that many users who downloaded the malicious Minecraft app thought it was genuine since they downloaded and installed them from the Google Play Store. Thus, the regular advice of not downloading apps from third-party websites does not apply in this case.

These scareware Minecraft apps appear to have been developed by the same developer but feature different names and icons.

"They were uploaded to the [Google] Play store by different developer accounts, but we assume that these were all created by one person," Stefanko says

Moreover, in an attempt to make the scam appears legitimate, cybercriminals took advantage of the names of reputed mobile anti-virus vendors, like G-Data.

The fake Minecraft apps have since been removed from the Google Play store, the researchers revealed, however, you can protect yourself from falling victims to these apps by using a good security software on your smartphone and avoiding apps from unknown sources.

This isn't first time when the Google Play Store has been found distributing malicious applications. The Play store has had a long history of malicious and fake apps.

However, the search engine giant has been trying to get rid of this issue by making use of the Bouncer bot that helped reduce the number of malicious apps by as much as 40 percent since 2011. Back in March, Google also announced plans to manually review Play Store Android app submissions.

Security researchers have unearthed a new Android Trojan that tricks victims into believing they have switched their device off while it continues "spying" on the users' activities in the background. So, next time be very sure while you turn off your Android smartphones.

The new Android malware threat, dubbed PowerOffHijack, has been spotted and analyzed by the researchers at the security firm AVG. PowerOffHijack because the nasty malware has a very unique feature - it hijacks the shutdown process of user’s mobile phone.

MALWARE WORKS AFTER SWITCHING OFF MOBILES

When users presses the power button on their device, a fake dialog box is shown. The malware mimics the shutdown animation and the device appears to be off, but actually remains on, giving the malicious program freedom to move around on the device and steal data.

"After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on," AVG’s mobile malware research team explained in a blog post. "While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user."

HOW DOES POWEROFFHIJACK MALWARE WORKS ?

Once installed, the malware asks for root-level permissions and tampers with the 'system_server' file of the operating system to affect the shutdown process. The malware particularly hijacks the mWindowManagerFuncs interface, so that it can display a fake shutdown dialog box and animation every time the victim presses the power button.

The nasty malware is apparently being propagated via third-party online app stores, but the researchers haven't mentioned the names of the the innocent-looking apps, also they haven’t explained how the malware gains the root access of the device. The code shown by AVG appears to contact Chinese services.

So far, PowerOffHijack malware has already infected more than 10,000 devices, mostly in China where the malware was first introduced and offered through the local, official app stores.

PowerOffHijack malware has ability to silently send lots of premium-rate text messages, make calls to expensive overseas numbers, take photos and perform many other tasks even if the phone is supposedly switched off.

EASY STEPS TO GET RID OF POWEROFFHIJACK
In order to get rid of PowerOffHijack malware, users are advised to take some simple steps:

We all have Internet-connected smartphones in our pockets, but it’s very hard to find a place on Internet to feel secure and private. No doubt, there is data Encryption on cell phones, but what’s the use if it is cracked by hackers or law enforcement?

What if the encrypted files don’t exist in the first place for law enforcement to decrypt it? That’s the motive behind DroidStealth, a new Android encryption tool that not only protects sensitive data with obfuscation, but ​also hides its existence on your phone as if it has nothing to hide.

DroidStealth Android app has been developed by security researchers from Delft University of Technology in the Netherlands and would come as a windfall to both the privacy lovers and the cyber criminals.

STEALTH LOGIN MECHANISM

DroidStealth Android encryption tool creates a hidden folder in your phone in which it stores your all encrypted files. The app itself can be opened by simply dialing a phone number of any length which is actually a pin or by punching an invisible widget on your phone's home screen five times.

The application is developed in order to hide the existence of any protection mechanism that usually hints casual inspectors that they need to do some tampering in an attempt to gain access to users’ encrypted data.

According to developer quartet Olivier Hokke, Alex Kolpa, Joris van den Oever and Alex Walterbos of Delft University of Technology, several other disguise techniques, such as hiding the app within a flashlight program, are used to hide your private data.

"Since simply encrypting the data is not enough, our approach provides an added step of obfuscation that increases security of the data: DroidStealth hides itself," the group wrote in the paper titled, 'A Self-Compiling Android Data Obfuscation Tool' co-authored with supervisor Johan Pouwelse.

"Instead of actually calling the number, the application launches, requesting the pin code. Furthermore, DroidStealth fully intercepts the call, making sure the number never gets added to the call log."

FEATURES OF DROIDSTEALTH

Some DroidStealth Android encryption tool features are listed below:

The app is stored in a secretive mode, and can be renamed to appear as a benign app to "hide in plain sight".

The app doesn’t appear under the normal downloaded app list.

The app provides notification to the user if any of the secret files are left unlocked.

The can be kept out of the running process list when not in use.

The app does not pop up in the recent visited list.

LIMITATIONS OF DROIDSTEALTH

In a centralized store the DroidStealth Android encryption tool would result in a possible exposure threat, so it was distributed "nomadically" as an untrusted Android application rather than from the Google Play Store which would show up in a user's list of installed apps.

Secret data files would be encrypted using Facebook's Conceal API and could not be accessed from other apps or from its original location.

DRAWBACK OF DROIDSTEALTH

This may be one of the major drawback of DroidStealth app among others, which are listed below:

The data is encrypted and decrypted within the app.

Uninstalling the app may lead to deletion of all the data.

Low memory of the phone might lead to force quitting of the application and this might lead to loss of the data.

If a user's phone gets in the hands of investigation while the app is under decode mode, then it would be difficult for them to secure the data from officials.

GET DROIDSTEALTH NOW

The developers said that the DroidStealth Android encryption tool's user interface (UI) is chosen black "in order to give users the feeling that they are indeed working in secret".

DroidStealth app is not released on Google Play, but users can get it with a untrusted APK version of the App. The APK is available as an unaligned version, while users can download the nomadic versions of the app that are available throughout the Internet.

Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks to install and launch malicious applications remotely on Android devices.

Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.

USERS AFFECTED

The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for WebView, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.

According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.

UNIVERSAL CROSS-SITE SCRIPTING FLAW

In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.

"Users of these platforms may also have installed vulnerable aftermarket browsers," Beardsley explains in a blog post on Tuesday. "Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."

At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials.

The security researcher demonstrated the issue with JavaScript and Ruby code that response from the play.google.com domain can be generated without the appropriate XFO header.

METASPLOIT MODULE IS PUBLICLY AVAILABLE

A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:

First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).

Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.

HOW TO PREVENT BEING EXPOSED

Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.

Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A group of security researchers has successfully discovered a method to hack into six out of seven popular Smartphone apps, including Gmail across all the three platforms - Android, Windows, and iOS operating systems - with shockingly high success rate of up to 92 percent.

Computer scientists the University of California Riverside Bourns College of Engineering and the University of Michigan have identified a new weakness they believe to exist in Android, Windows, and iOS platforms that could allow possibly be used by hackers to obtain users’ personal information using malicious apps.

The team of researchers - Zhiyun Qian, of the University of California, Riverside, and Z. Morley Mao and Qi Alfred Chen from the University of Michigan - will present its paper, "Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks" (PDF), at the USENIX Security Symposium in San Diego on August 23.

The paper detailed a new type of hack method, which they call a UI [user interface] state interference attack - running the malicious app in the background without users’ knowledge. You can watch some short videos of the attacks in action below.

Although, the researchers demonstrated the hack using an Android device, but they believe that the same method could be used across all three operating system platforms because when a users download multiple number of apps to their smartphone devices, the apps are all running on the same shared platform, or operating system.

"The assumption has always been that these apps can't interfere with each other easily," said Zhiyun Qian, an associate professor at UC Riverside. "We show that assumption is not correct and one app can in fact significantly impact another and result in harmful consequences for the user."

Therefore users leave themselves open to such attacks as an Android phone allows itself to be hijacked or pre-empted. According to the team, the method could allow a hacker to steal a user's password, social security number, peek at a photo of a check on a banking app, or swipe credit card numbers and other sensitive data. The team tested and found some of apps including WebMD, Chase and Gmail vulnerable.

Demonstrating the method of attack on an Android device, an unsigned app such as a wallpaper changer carrying malicious code is first installed on the user's phone. Once installed, an attacker can use it to access an entry point that the researchers call a "shared-memory side channel" - exists in nearly all popular Graphical User Interface (GUI) systems - of any process, which doesn't require any special privileges.

The researchers then monitor the changes in this shared memory and were able to determine specific "activity transition events" like a user logging into Gmail, H&R Block or taking a picture of a cheque to deposit it online via Chase Bank.

In all the team tried to access seven apps, out of which six were easily hacked. Gmail and H&R Block were easiest to the hack with a success rate of 92 percent. On the other hand, Amazon was by far the hardest with just a 48 percent success rate.

"The Amazon app case indicates that our inference method may not work well if certain features are not sufficiently distinct, especially the major contributors such as the transition model and the network event feature," the researchers write in the paper.

Using a few other side channels, the team was able to accurately detect what a user was doing in real-time on app. Because this security hole is not unique just to Android, so the hack could presumably be used in iOS and Windows as well, the researchers say.

A successful attack requires two things:

First, the attack needs to take place at the exact moment that the user is performing the action.

Second, the attack needs to be conducted in such a way that the user is unaware of it.

The team managed to pull this off by carefully timing the attacks.

"We know the user is in the banking app, and when he or she is about to log in, we inject an identical login screen," said electrical engineering doctoral student Qi Alfred Chen from the University of Michigan. "It's seamless because we have this timing."

At USENIX Security Symposium, the researchers would recommend methods to try and eliminate the side channel, and would suggest more secure system designs, the team said in the paper. But even if you're want to keep yourself safe from an attack like this, it's always a good practice to be very careful about the apps you download onto your phone — especially apps from unofficial sources.

Researchers have warned users of Android devices to avoid app downloads from particularly unauthorized sources, since a new and sophisticated piece of malware is targeting Android users through phishing emails.

The malware, dubbed SandroRAT, is currently being used by cybercriminals to target Android users in Poland via a widely spread email spam campaign that delivers a new variant of an Android remote access tool (RAT).

The emails masquerade itself as a bank alert that warns users of the malware infection in their mobile device and offers a fake mobile security solution in order to get rid of the malware infection.

The mobile security solution poses as a Kaspersky Mobile Security, but in real, it is a version of SandroRAT, a remote access tool devised for Android devices, whose source code has been put on sale on underground Hack Forums since December last year.

A mobile malware researcher at McAfee, Carlos Castillo, detailed the new variant of Android remote access trojan over the weekend in a blog post. According to the researcher, the package spread via phishing campaign is capable of executing several malicious commands on the infected devices.

SandroRAT gives the attacker an unrestricted access to sensitive details such as SMS messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices and store all the data in an “adaptive multi-rate file on the SD card” to later upload them to a remote command and control (C&C) server.

"Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRat,” wrote Carlos Castillo. “This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks."

This new version of SandroRAT also has a self-update feature in it and it can install additional malware through user prompts for such actions. The malware gives the attacker full control over the messages, who can intercept, block and steal incoming messages, as well as insert and delete them.

It also appears that the attacker can send multimedia messages with specific parameters sent by the C&C server and can also record nearby sounds using the device’s mic.

Castillo also notes that the SandroRAT variant of malware had decryption capabilities for older releases of Whatsapp messaging app. But, the users running the latest version of Whatsapp in their Android devices are not vulnerable because the developers adopted a stronger encryption scheme.

“This decryption routine will not work with WhatsApp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt),” Castillo explained. “WhatsApp users should update the app to the latest version,” he advised.

Users are advised to avoid application downloads from unauthorized sources, particularly when the app download link is send through an email. Good practice is to always prefer downloading apps from the Google Play Store or other trusted sources. Stay Safe! Stay Tuned!

Many Smartphone applications support, installation or app data storage to an external SD Card, that can be helpful in saving space on the internal memory, but also vulnerable to hackers.

Typically, an app that has permission to read and write data from an SD card has the permission to read all data on that card, including information written by other apps. This means that if you install a malicious application by mistake, it can easily steal any sensitive data from your Phone's SD Card.

To prevent the data from being misused by any other app, the best implementation is to encrypt the data, but that will drop the performance of the device.

On its 10th birthday, as a treat for mobile developers, Facebook has unveiled the source code of its Android security tool called 'Conceal' cryptographic API Java library, that will allow app developers to encrypt data on disk in the most resource efficient way, with an easy-to-use programming interface.

Smaller than other cryptography standards and built for speed, the Conceal might end up the best solution. "We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps" Facebook Software Engineer said in a blog post.

The tool is based on algorithms from OpenSSL, a common open source encryption system for the web:

"Conceal doesn't implement any crypto. Instead, it uses specific cryptographic algorithms from OpenSSL. OpenSSL's crypto library is about 1MB when built for armv7. By using only the parts of OpenSSL we needed, we were able to reduce the size of OpenSSL to 85KB. We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well."

Conceal is smaller and faster than existing Java crypto libraries, uses AES-GCM, an authenticated encryption algorithm that helps to detect any potential tampering with data. "We instead use AES-GCM which is an authenticated encryption algorithm that not only encrypts the data, but also computes a MAC of the data at the same time." he said.

The library also provides resources for storing and managing keys to protect against known weaknesses in the Android's random number generator. Conceal officially supports Android 2.3 and higher (Gingerbread). It will run on 2.2 (Froyo) phones as well.

The company is already using the tool with the primary Facebook app that runs on Android. Developers can access the Conceal API from GITHUB.

In September, Google added the remote Device locking Capability to its Android Device Manager, allowing users to lock their phone if it’s stolen or lost.

The mechanism allows user to override the existing device lock scheme and set password scheme for better security.

But Recently, Curesec Research Team from Germany has discovered an interesting vulnerability (CVE-2013-6271) in Android 4.3 that allows a rogue app to remove all existing device locks activated by a user.

'The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have.' CRT team says in a blog post

Android OS has several device lock mechanisms like PIN, Password, Gesture and even faces recognition to lock and unlock a device. For modification in password settings, the device asks the user for confirmation of the previous lock.

But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.

Curesec Team has already reported the vulnerability to Google Android Security Team three times, but unfortulatly Google is not responding them about this issue.

Update – 3:11 PM Thursday, December 5, 2013 (GMT) : Curesec Team has released a proof of concept application (CRT-Removelocks.apk) and Source code to demonstrate the vulnerability.

I installed and tested the application on my Samsung Galaxy S4 with Android 4.3 Jelly beans, and seriously - Just one single click on 'Remove Lock Now', it immediately removed my Pattern lock from the device.

The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. Thousands of applications in the Google Play market that are using these implementations.

A group of researchers including Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith from Distributed Computing & Security Group - Leibniz University of Hannover, Hannover, Germany and Lars Baumgärtner, Bernd Freisleben from Department of Math. & Computer Science - Philipps University of Marburg, Marburg, Germany, have presented a paper that most of these applications contain serious mistakes in the way that SSL/TLS is implemented, that leaving them vulnerable to man-in-the-middle attacks that could compromise sensitive user data such as banking credentials, credit card numbers and other information.

Tests performed on 100 selected apps confirmed that 41 of them were vulnerable to known attacks. The team also built a proof-of-concept tool called MalloDroid that was designed to find the potentially exploitable SSL bugs in Android apps, which they then investigated further to determine whether an attack was in fact possible.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Android’s App store is currently facing a new dilemma as its security has been compromised once again. Researchers from security firm TrustGo have recently spotted on Google Play a bogus app that supposedly automatizes the updating of a batch of other apps.

The malicious code was hidden within an app named, "Updates" by developer Good Byte Labs (Package name: com.updateszxt) and was designed to look like an update to the Lookout™ mobile security application.

The malware detected as Trojan!FakeLookout.A is capable of stealing SMS and MMS messages and upload them to a remote server via FTP. This virus has the potential to steal all personal business sensitive data from the users’ device.

Though there are no reports of being infected by the users, it is believed that the infected users are not aware of it yet. "New approach being attempted by malware makers," TrustGo said the site in question "contains a Trojan file that targets multiple platforms including Windows, Mac, and Unix/Linux operating systems."

After the researchers notified Google, the app has been removed from Google Play. The only protection as of now is to go for good Anti-virus software. If it doesn’t help you, a factory reset of the device is advised. Be aware to have your data backup before the reset.

A French hacker has been arrested for spreading a virus through fake smartphone applications. Prosecutors say he stole tiny sums from 17,000 people, amassing about 500,000 euros (£405,000) since 2011.

Working from the basement of his parents' home in Amiens, France, he created malicious software that looked like normal smartphone apps, but these programs stole money through hidden transactions. He also used programs that sent him the usernames and passwords for gambling and gaming websites.

The man admitted his crimes to police after he was arrested in the northern French city of Amiens. He told officials that he was motivated by a strong interest in computers and the desire to be a software developer.

Users should be aware that Cyber criminals are finding new ways to install malicious software on devices. The latest threat to Android phone users, according to the FBI, is a “work-at-home opportunity that promises a profitable payday just for sending out email.”

The IC3 has been made aware of various malware attacking Android operating systems for mobile devices. Some of the latest known versions of this type of malware are Loozfon and FinFisher.

Loozfon is an information-stealing piece of malware. Criminals use different variants to lure the victims. One version is a work-at-home opportunity that promises a profitable payday just for sending out email. A link within these advertisements leads to a website that is designed to push Loozfon on the user’s device. The malicious application steals contact details from the user’s address book and the infected device’s phone number.

FinFisher is a spyware capable of taking over the components of a mobile device. When installed the mobile device can be remotely controlled and monitored no matter where the Target is located. FinFisher can be easily transmitted to a Smartphone when the user visits a specific web link or opens a text message masquerading as a system update.

Last week, security experts at McAfee announced that more than 60% of Android malware uses fake premium SMS messages. In their post on this subject, McAfee said, “Malware authors appear to make lots of money with this type of fraud, so they are determined to continue improving their infrastructure, code, and techniques to try to avoid antivirus software. It’s an ongoing struggle, but we are constantly working to keep up with their advances.”

Safety tips from FBI to protect your mobile device:

When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.

Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.

With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.

Review and understand the permissions you are giving when you download applications.

Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.

Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.

Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.

Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.

If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.

Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.

Avoid clicking on or otherwise downloading software or links from unknown sources.

Use the same precautions on your mobile phone as you would on your computer when using the Internet.